Node v6.9.0、v4.6.1、v0.12.17 和 v0.10.48 发布

Node.js v6.9.0、v4.6.1、v0.12.17 和 v0.10.48 发布了。Node.js 是一套用来编写高性能网络服务器的 JavaScript 工具包

Node.js v6.9.0 LTS “Boron” 值得关注的更新：

crypto: Don’t automatically attempt to load an OpenSSL configuration file, from the OPENSSL_CONF environment variable or from the default location for the current platform. Always triggering a configuration file load attempt may allow an attacker to load compromised OpenSSL configuration into a Node.js process if they are able to place a file in a default location. (Fedor Indutny, Rod Vagg)
node: Introduce the process.release.lts property, set to "Boron". This value is "Argon" for v4 LTS releases and undefined for all other releases. (Rod Vagg)
V8: Backport fix for CVE-2016-5172, an arbitrary memory read. The parser in V8 mishandled scopes, potentially allowing an attacker to obtain sensitive information from arbitrary memory locations via crafted JavaScript code. This vulnerability would require an attacker to be able to execute arbitrary JavaScript code in a Node.js process. (Rod Vagg)
v8_inspector: Generate a UUID for each execution of the inspector. This provides additional security to prevent unauthorized clients from connecting to the Node.js process via the v8_inspector port when running with --inspect. Since the debugging protocol allows extensive access to the internals of a running process, and the execution of arbitrary code, it is important to limit connections to authorized tools only. Vulnerability originally reported by Jann Horn. (Eugene Ostroukhov)